Experts: It's time to fix FISMA

By William Jackson

Feb 07, 2007

SAN FRANCISCO ' A pair of security experts, one of them a former federal chief information security officer, gave a harsh critique Tuesday of the Federal Information Security Management Act as a well-intentioned but fundamentally flawed tool.

'A lot of your money is being thrown away,' Alan Paller, director of research for the SANS Institute, told an audience at the RSA IT security conference.

The 2002 act mandates security planning for agencies, requiring a risk analysis of IT systems, and certification and accreditation of those systems.

'FISMA wasn't written badly, but the measuring system they are using is broken,' Paller said. 'What we measure now is, 'Do you have a plan?' ' Not whether the plan actually improves security.

Too often, the plans do not improve security, said Bruce Brody, vice president of information assurance at CACI International Inc. and formerly with the Veterans Affairs and Energy departments

'Federal systems and networks are like Swiss cheese,' Brody said. 'FISMA over five years has not helped us to be appreciably more secure.'

The speakers described the risk analysis and C&A processes as paperwork drills that let agencies comply with the letter of the law without doing anything to improve actual security. Even so, many agencies routinely receive failing grades in the annual FISMA report cards handed out by Congress, and government as a whole has not risen above D. Brody said he received four Fs and one C during his term in government.

Paller offered two broad fixes for the security challenge facing government. The first is to stop blaming the user for problems, and require that vendors ship well designed products that are securely configured by default. He also called for using 'attack-based' metrics in measuring security compliance. These metrics include:

How quickly penetrations of the system are identified

The length of time it takes to deploy needed security patches

The number of accounts remaining active after employees or consultants have left an agency

Whether programming teams are including errors in code

How quickly malicious code can be found on a system.

Brody defined five things a CIO must know about his systems to ensure security:

The boundaries and topologies of the interconnected enterprise

The devices that are connected to the enterprise and the channels they use to connect to it

The configuration of these devices

Who is accessing these devices and whether that access is authorized

What these users are doing on the system.

'You can measure good security, but it's not being measured today,' Brody said.

Brody and Paller were hopeful that changes in FISMA could be made in the new Congress.